@schoen said:
Thanks for sharing the domain name.
Both of the test sites that you used are testing whether you can browse the web with IPv6 connectivity, not whether a particular server has IPv6 connectivity. By running curl -6 http://domain.org/ on a machine with IPv6 connectivity, I can see that domain.org itself does not have IPv6 connectivity working properly. (Testing in a browser is not quite a strict enough test because the browser is usually willing to fall back to IPv4 if an IPv6 connection fails, which our CA is not willing to do.)
A tester you could use that will confirm the problem is
You have to put in the domain name. You'll see that the AAAA DNS record is provided but that connections to your server fail over IPv6.
This is probably why your renewal stopped working; some weeks ago, the Let's Encrypt CA was updated to prefer IPv6 over IPv4 for domain control checks, while before that, the behavior was the opposite.